[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-11-gdd3b248
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-11-gdd3b248 |
|
Date: |
Fri, 28 Sep 2012 17:00:39 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=dd3b2483a26a852dedb6223e4fcb389c0863998f
The branch, master has been updated
via dd3b2483a26a852dedb6223e4fcb389c0863998f (commit)
via f7210341ee723faf157236ee36ef96a3317958d2 (commit)
from 5dca97ab4787f50a76d23e2e4c639b71e52dbb8d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit dd3b2483a26a852dedb6223e4fcb389c0863998f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Sep 28 19:00:19 2012 +0200
Use the server's OCSP provided data when verifying a certificate's validity.
commit f7210341ee723faf157236ee36ef96a3317958d2
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Sep 28 18:54:15 2012 +0200
The certificate verification callback is being run after the certificate
status response is received.
-----------------------------------------------------------------------
Summary of changes:
lib/auth/cert.c | 10 +-----
lib/ext/status_request.c | 5 +--
lib/gnutls_handshake.c | 82 ++++++++++++++++++++++++++++++----------------
lib/gnutls_int.h | 4 +-
src/cli.c | 25 +++++++++++++-
src/ocsptool-common.c | 31 ++++++++++++++++--
6 files changed, 111 insertions(+), 46 deletions(-)
diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 0e9e0d9..44835f0 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -1396,8 +1396,7 @@ cleanup:
#endif
int
-_gnutls_proc_crt (gnutls_session_t session,
- uint8_t * data, size_t data_size)
+_gnutls_proc_crt (gnutls_session_t session, uint8_t * data, size_t data_size)
{
int ret;
gnutls_certificate_credentials_t cred;
@@ -1428,13 +1427,6 @@ _gnutls_proc_crt (gnutls_session_t session,
return GNUTLS_E_INTERNAL_ERROR;
}
- if (ret == 0 && cred->verify_callback != NULL)
- {
- ret = cred->verify_callback (session);
- if (ret != 0)
- ret = GNUTLS_E_CERTIFICATE_ERROR;
- }
-
return ret;
}
diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
index 489d949..8cfe1de 100644
--- a/lib/ext/status_request.c
+++ b/lib/ext/status_request.c
@@ -136,8 +136,6 @@ server_recv (gnutls_session_t session,
priv->responder_id_size = _gnutls_read_uint16 (data);
- _gnutls_debug_log("Status Request: Responder ID size: %u\n",
priv->responder_id_size);
-
DECR_LEN(data_size, 2);
data += 2;
@@ -270,7 +268,8 @@ _gnutls_status_request_recv_params (gnutls_session_t
session,
*
* This function is to be used by clients to request OCSP response
* from the server, using the "status_request" TLS extension. Only
- * OCSP status type is supported. Typically @responder_id and @extensions
+ * OCSP status type is supported. A typical server has a single
+ * OCSP response cached, so @responder_id and @extensions
* should be null.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index b6a5e62..804ae1b 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -2473,6 +2473,27 @@ gnutls_handshake_set_timeout (gnutls_session_t session,
unsigned int ms)
} } while (0)
+static int run_verify_callback(gnutls_session_t session)
+{
+ gnutls_certificate_credentials_t cred;
+ int ret;
+
+ cred =
+ (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
+
GNUTLS_CRD_CERTIFICATE,
+ NULL);
+ if (cred == NULL)
+ return 0;
+
+ if (cred->verify_callback != NULL)
+ {
+ ret = cred->verify_callback (session);
+ if (ret != 0)
+ return GNUTLS_E_CERTIFICATE_ERROR;
+ }
+
+ return 0;
+}
/*
* _gnutls_handshake_client
@@ -2503,14 +2524,14 @@ _gnutls_handshake_client (gnutls_session_t session)
STATE = STATE1;
IMED_RET ("send hello", ret, 1);
- case STATE11:
+ case STATE2:
if (IS_DTLS (session))
{
ret =
_gnutls_recv_handshake (session,
GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
1, NULL);
- STATE = STATE11;
+ STATE = STATE2;
IMED_RET ("recv hello verify", ret, 1);
if (ret == 1)
@@ -2519,91 +2540,96 @@ _gnutls_handshake_client (gnutls_session_t session)
return 1;
}
}
- case STATE2:
+ case STATE3:
/* receive the server hello */
ret =
_gnutls_recv_handshake (session,
GNUTLS_HANDSHAKE_SERVER_HELLO,
0, NULL);
- STATE = STATE2;
+ STATE = STATE3;
IMED_RET ("recv hello", ret, 1);
- case STATE70:
+ case STATE4:
if (session->security_parameters.do_recv_supplemental)
{
ret = _gnutls_recv_supplemental (session);
- STATE = STATE70;
+ STATE = STATE4;
IMED_RET ("recv supplemental", ret, 1);
}
- case STATE3:
+ case STATE5:
/* RECV CERTIFICATE */
if (session->internals.resumed == RESUME_FALSE) /* if we are not
resuming */
ret = _gnutls_recv_server_certificate (session);
- STATE = STATE3;
+ STATE = STATE5;
IMED_RET ("recv server certificate", ret, 1);
- case STATE4:
+ case STATE6:
/* RECV CERTIFICATE STATUS */
if (session->internals.resumed == RESUME_FALSE) /* if we are not
resuming */
ret = _gnutls_recv_server_certificate_status (session);
- STATE = STATE4;
+ STATE = STATE6;
IMED_RET ("recv server certificate", ret, 1);
- case STATE5:
+ case STATE7:
+ ret = run_verify_callback(session);
+ STATE = STATE7;
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ case STATE8:
/* receive the server key exchange */
if (session->internals.resumed == RESUME_FALSE) /* if we are not
resuming */
ret = _gnutls_recv_server_kx_message (session);
- STATE = STATE5;
+ STATE = STATE8;
IMED_RET ("recv server kx message", ret, 1);
- case STATE6:
+ case STATE9:
/* receive the server certificate request - if any
*/
if (session->internals.resumed == RESUME_FALSE) /* if we are not
resuming */
ret = _gnutls_recv_server_crt_request (session);
- STATE = STATE6;
+ STATE = STATE9;
IMED_RET ("recv server certificate request message", ret, 1);
- case STATE7:
+ case STATE10:
/* receive the server hello done */
if (session->internals.resumed == RESUME_FALSE) /* if we are not
resuming */
ret =
_gnutls_recv_handshake (session,
GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
0, NULL);
- STATE = STATE7;
+ STATE = STATE10;
IMED_RET ("recv server hello done", ret, 1);
- case STATE71:
+ case STATE11:
if (session->security_parameters.do_send_supplemental)
{
- ret = _gnutls_send_supplemental (session, AGAIN (STATE71));
- STATE = STATE71;
+ ret = _gnutls_send_supplemental (session, AGAIN (STATE11));
+ STATE = STATE11;
IMED_RET ("send supplemental", ret, 0);
}
- case STATE8:
+ case STATE12:
/* send our certificate - if any and if requested
*/
if (session->internals.resumed == RESUME_FALSE) /* if we are not
resuming */
- ret = _gnutls_send_client_certificate (session, AGAIN (STATE8));
- STATE = STATE8;
+ ret = _gnutls_send_client_certificate (session, AGAIN (STATE12));
+ STATE = STATE12;
IMED_RET ("send client certificate", ret, 0);
- case STATE9:
+ case STATE13:
if (session->internals.resumed == RESUME_FALSE) /* if we are not
resuming */
- ret = _gnutls_send_client_kx_message (session, AGAIN (STATE9));
- STATE = STATE9;
+ ret = _gnutls_send_client_kx_message (session, AGAIN (STATE13));
+ STATE = STATE13;
IMED_RET ("send client kx", ret, 0);
- case STATE10:
+ case STATE14:
/* send client certificate verify */
if (session->internals.resumed == RESUME_FALSE) /* if we are not
resuming */
ret =
- _gnutls_send_client_certificate_verify (session, AGAIN (STATE10));
- STATE = STATE10;
+ _gnutls_send_client_certificate_verify (session, AGAIN (STATE14));
+ STATE = STATE14;
IMED_RET ("send client certificate verify", ret, 1);
STATE = STATE0;
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index fed0eef..9c4c850 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -223,8 +223,8 @@ typedef struct
typedef enum handshake_state_t
{ STATE0 = 0, STATE1, STATE2,
- STATE3, STATE4, STATE5,
- STATE6, STATE7, STATE8, STATE9, STATE10, STATE11,
+ STATE3, STATE4, STATE5, STATE6, STATE7, STATE8,
+ STATE9, STATE10, STATE11, STATE12, STATE13, STATE14,
STATE20 = 20, STATE21, STATE22,
STATE30 = 30, STATE31, STATE40 = 40, STATE41, STATE50 = 50,
STATE60 = 60, STATE61, STATE62, STATE70, STATE71
diff --git a/src/cli.c b/src/cli.c
index aaf66c1..95a6da9 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -403,7 +403,7 @@ cert_verify_callback (gnutls_session_t session)
if (!insecure && !ssh)
return -1;
}
- else if (ENABLED_OPT(OCSP))
+ else if (ENABLED_OPT(OCSP) || status_request_ocsp)
{ /* off-line verification succeeded. Try OCSP */
rc = cert_verify_ocsp(session);
if (rc == 0)
@@ -1104,6 +1104,9 @@ const char* rest = NULL;
record_max_size = OPT_VALUE_RECORDSIZE;
status_request_ocsp = HAVE_OPT(STATUS_REQUEST_OCSP);
+ if (ENABLED_OPT(OCSP))
+ status_request_ocsp = 1;
+
fingerprint = HAVE_OPT(FINGERPRINT);
if (HAVE_OPT(X509FMTDER))
@@ -1482,6 +1485,26 @@ cert_verify_ocsp (gnutls_session_t session)
ret = -1;
goto cleanup;
}
+
+ if (status_request_ocsp)
+ { /* try the server's OCSP response */
+ ret = gnutls_status_request_get_ocsp(session, &resp);
+ if (ret < 0 && !ENABLED_OPT(OCSP))
+ {
+ if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ fprintf(stderr, "gnutls_status_request_get_ocsp: %s\n",
gnutls_strerror(ret));
+ ret = -1;
+ goto cleanup;
+ }
+
+ if (ret >= 0)
+ {
+ ret = check_ocsp_response(issuer, &resp);
+ if (ret >= 0 || !ENABLED_OPT(OCSP))
+ goto cleanup;
+ }
+ }
+
ret = send_ocsp_request(NULL, crt, issuer, &resp, 1);
if (ret < 0)
diff --git a/src/ocsptool-common.c b/src/ocsptool-common.c
index 4436fd7..1c441b38 100644
--- a/src/ocsptool-common.c
+++ b/src/ocsptool-common.c
@@ -302,6 +302,9 @@ print_ocsp_verify_res (unsigned int output)
}
}
+/* three days */
+#define OCSP_VALIDITY_SECS (3*60*60*24)
+
/* Returns:
* 0: certificate is revoked
* 1: certificate is ok
@@ -314,7 +317,9 @@ check_ocsp_response (gnutls_x509_crt_t issuer,
gnutls_ocsp_resp_t resp;
int ret;
unsigned int status, cert_status;
- time_t rtime, ttime;
+ time_t rtime, vtime, ntime, now;
+
+ now = time(0);
ret = gnutls_ocsp_resp_init (&resp);
if (ret < 0)
@@ -344,7 +349,7 @@ check_ocsp_response (gnutls_x509_crt_t issuer,
}
ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
- &cert_status, &ttime, NULL, &rtime, NULL);
+ &cert_status, &vtime, &ntime, &rtime, NULL);
if (ret < 0)
error (EXIT_FAILURE, 0, "reading response: %s", gnutls_strerror (ret));
@@ -355,7 +360,27 @@ check_ocsp_response (gnutls_x509_crt_t issuer,
goto cleanup;
}
- printf("- OCSP server flags certificate not revoked as of %s",
ctime(&ttime));
+ if (ntime == -1)
+ {
+ if (now - vtime > OCSP_VALIDITY_SECS)
+ {
+ printf("*** The OCSP response is old (was issued at: %s) ignoring",
ctime(&vtime));
+ ret = -1;
+ goto cleanup;
+ }
+ }
+ else
+ {
+ /* there is a newer OCSP answer, don't trust this one */
+ if (ntime < now)
+ {
+ printf("*** The OCSP response was issued at: %s, but there is a
newer issue at %s", ctime(&vtime), ctime(&ntime));
+ ret = -1;
+ goto cleanup;
+ }
+ }
+
+ printf("- OCSP server flags certificate not revoked as of %s",
ctime(&vtime));
ret = 1;
cleanup:
gnutls_ocsp_resp_deinit (resp);
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-11-gdd3b248,
Nikos Mavrogiannopoulos <=